Linux Mint ISOs/website hacked

redcollective · 2016-02-21 10:04:38

You may have seen this already, I know we have distro hoppers on here:

http://blog.linuxmint.com/?p=2994&_utm_source=1-2-2

Question: If your checksums are being served from the same box as your ISOs, could a compromise of both be mitigated somewhat by serving them from different repositories? Spread the risk? checksums on https://github.com/BunsenLabs perhaps?

red

Last edited by redcollective (2016-02-21 10:20:43)

tknomanzr · 2016-02-21 11:58:15

A really, really good reason to avoid Wordpress like the plague.

Sector11 · 2016-02-21 13:32:57

Nice stuff nobody.

Clem looks like he's on top of things. Hope it all works out for him and the Mint users - and all of Linuxlandia.

Neil · 2016-02-21 13:49:52

Hey, thanks for posting the link. I noticed the Mint forum was down yesterday, but had no idea why. Now I know. And while I'm not directly affected by the hack, it is nice to know what's going on.

balloon · 2016-02-21 14:08:52

If you have seen perfectly the Mint blog, you will notice that there is my name in the comment.
At that time, Japan is a lunch time, Japanese users was the Sunday activity time...

As far as I know, modus operandi of hacking,
usually had been linked to a different server than by tampering with the Web site.
Therefore, Mint administrator has prevented the expansion of the damage by closing the Web server.
Mint of the Web server and the forum is running on the same server.
Therefore Mint forum can not see now.

dot|not · 2016-02-22 07:20:29

The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.

While I greatly appreciate them going public about this, this:

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

is too little technical information for my taste. I hope they (or somebody else) is going to do a more in-depth write-up.

tknomanzr · 2016-02-22 07:50:55

Clem mentioned in the comments below the announcement that the site is build using Wordpress. That was all I really needed to read. Slogging through that mess of php code to figure out the vulnerability is not going to be fun. Then again, if a simple upgrade to Wordpress will do the trick, the question then becomes how much of his site will break due to the upgrade? My recommendation to anyone who wants to call themselves a web coder is avoid Wordpress. It is nearly legendary for its security vulnerabilities.

brontosaurusrex · 2016-02-22 08:17:34

This is definitely going to leave bad taste for php, wordpress and Linux mint, either based on facts or not.

dot|not · 2016-02-22 09:14:07

Clem mentioned in the comments below the announcement that the site is build using Wordpress. That was all I really needed to read. Slogging through that mess of php code to figure out the vulnerability is not going to be fun. Then again, if a simple upgrade to Wordpress will do the trick, the question then becomes how much of his site will break due to the upgrade? My recommendation to anyone who wants to call themselves a web coder is avoid Wordpress. It is nearly legendary for its security vulnerabilities.

Wordpress Core has a relatively good track record, definitely not worse than the other content management systems out there. Extensions, Themes, Plugins and clueless 'administrators' are the problem.

This is definitely going to leave bad taste for php, wordpress and Linux mint, either based on facts or not.

Will it? I doubt it. At the end of the week, everybody (literally EVERYBODY) will already have forgotten about this.

brontosaurusrex · 2016-02-22 09:48:35

Clueless 'administrators' & mint developers should be two different species, thats why. Probably Clem should also take some other PR approach than:

... we’ll probably also contract a security firm to look into the bottom of this for us, we’re software developers not intrusion experts. ...

Personally I think the transparent approach is great.

Last edited by brontosaurusrex (2016-02-22 09:51:58)

balloon · 2016-02-22 10:39:47

I re-read the comments of the original article,
the backdoor was grasp that planted in WordPress group of files.

I understand this risk, I had to stop the process of the production Web site using MySQL+PHP.
I feel so sorry this such events...

ohnonot · 2016-02-22 23:40:52

tknomanzr wrote:

Clem mentioned in the comments below the announcement that the site is build using Wordpress.

yes but what was the purpose of the injection on the .iso?
does it actually do something?

tknomanzr · 2016-02-23 00:26:09

Nearest I can tell from the comments it was a backdoor, most likely to make it easier to gain root. Considering he had been DDOS'd as well, it is highly likely the attempt and the intent was to create a botnet.

Of course, we all know that nothing much can be accomplished in any Unix style OS until you can gain some form of privilege escalation, so the code vulnerability via Wordpress (most probably), made it possible for the second stage of the attack, which would have been via the iso's. Fortunately, Clem managed to catch on before the legion of Mint users all unwittingly became part of the botnet. His package servers were unaffected.

In a similar vein, just the other day, I noticed my WD NAS appliance had been subject to a potential cross-site scripting coupled with a php code inejction vulnerability (lack of proper html sanitizing). The situation with this is aggravated by a couple of different choices WD made: 1.) They moved away from Debian and onto Linaro for their Linux base at some point. I really know nothing about Linaro and it appears that their forums, etc are behind a paywall. Imagine if we did that , along with 2.) This is an armel processor and so even to migrate it back to debian would take some doing.

I have several different issues already with the appliance that makes me cringe. The appliance comes with light-httpd, apache, php and a restful api. This is all part of their web-based interface stuff and the source of their code vulnerability. I can, however, ssh into the box so don't really need all of that stuff running, except it has no package manager that I can see. Dpkg is all you get. Ok, so its still debian on some level but it's the craziest setup I have ever seen, to the point that there are numerous scripts down in usr/local overwriting the debian code base near as I can tell. Also, their sshd setup is not really that secure. I have to downgrade the ssh security on my sid box to even connect to it.

All of this has convinced me that this was a mistake in terms of money. The only intelligent way to go about setting up a file server, for me, is to build it myself.

Anyway, I got long-winded but an attack of the nature that Mint experienced is a bit concerning and I certainly hope the Mint user-base stands behind Clem either monetarily or with hands-on expertise to help him secure his code. This is the kind of thing that makes me glad that we are not just one person trying to manage all the different aspects of building and distributing a distro.

Last edited by tknomanzr (2016-02-23 00:26:50)

Rocky · 2016-02-23 00:44:22

tknomanzr wrote:

....All of this has convinced me that this was a mistake in terms of money. The only intelligent way to go about setting up a file server, for me, is to build it myself.

Samba on Debian ? or for graphical interface of setup Samba on BunsenLabs ?

johnraff · 2016-02-23 04:05:59

nobody wrote:

balloon wrote:
MySQL+PHP
FluxBB runs on the same kind of stack

Another good reason to have the BL website on a different server from the forum.

dot|not · 2016-02-23 08:10:09

Nearest I can tell from the comments it was a backdoor, most likely to make it easier to gain root. Considering he had been DDOS'd as well, it is highly likely the attempt and the intent was to create a botnet.

Newspapers in Austria and Germany spoke about the modified images collecting login-data, no idea if they pulled that out of their arse or if that's the case.

Of course, we all know that nothing much can be accomplished in any Unix style OS until you can gain some form of privilege escalation, so the code vulnerability via Wordpress (most probably), made it possible for the second stage of the attack, which would have been via the iso's. Fortunately, Clem managed to catch on before the legion of Mint users all unwittingly became part of the botnet. His package servers were unaffected.

The need for a privilege escalation wasn't necessarily there. In the (hopefully unlikely) case that the webserver was running with administrative privileges that would have been enough. But I'm guessing the images were owned by the same user, so they could just modify them without much of a hassle.

ohnonot · 2016-02-23 08:34:25

tknomanzr, what's WD?

pvsage · 2016-02-23 08:42:41

^ Western Digital?

iMBeCil · 2016-02-23 09:19:28

^No, it is winchester disc.

tknomanzr · 2016-02-23 14:28:08

Yeah, Western Digital. It is my aim to eventually hack that box and get it running Debian again, along with stripping out all the unecessary stuff. However, I am noit going to risk voiding the warranty on it until I build a new file server. Fortunately, I have a spare box sitting around that will do nicely. I just need to order some more parts for it.

As to configuration, SSH for sure. I am still dithering about Samba. I am thinking about putting a firewall on it. I don't really feel like it needs a desktop but the hardware is beefy enough that I could install BL on it with no issue. Similarly, I feel like it could handle a dlna setup for on the fly transcoding, etc.

The key to the old box's vulnerability lies in that restful api and its ability to execute bash commands through php. Once I get a new file server in place, I could then safely mess around with hacking the NAS appliance and stripping all that stuff out of it. I have pulled down the old image and broke it apart. It is basically a very stripped down debian that boots straight to the kernel. The newer images, I can't really tell. There is nothing in boot but / has a binary called linuxrc that I suspect handle the bootstrapping. The main thing is that there is a real risk of bricking the box as ssh is the only way to control it. I have a lot to learn before I would feel comfortable mucking around with it too much, esp given the amount of data that it is currently storing.

#1 2016-02-21 10:04:38

Linux Mint ISOs/website hacked

#2 2016-02-21 11:58:15

Re: Linux Mint ISOs/website hacked

#3 2016-02-21 13:32:57

Re: Linux Mint ISOs/website hacked

#4 2016-02-21 13:49:52

Re: Linux Mint ISOs/website hacked

#5 2016-02-21 14:08:52

Re: Linux Mint ISOs/website hacked

#6 2016-02-22 07:20:29

Re: Linux Mint ISOs/website hacked

#7 2016-02-22 07:50:55

Re: Linux Mint ISOs/website hacked

#8 2016-02-22 08:17:34

Re: Linux Mint ISOs/website hacked

#9 2016-02-22 09:14:07

Re: Linux Mint ISOs/website hacked

#10 2016-02-22 09:48:35

Re: Linux Mint ISOs/website hacked

#11 2016-02-22 10:39:47

Re: Linux Mint ISOs/website hacked

#12 2016-02-22 23:40:52

Re: Linux Mint ISOs/website hacked

#13 2016-02-23 00:26:09

Re: Linux Mint ISOs/website hacked

#14 2016-02-23 00:44:22

Re: Linux Mint ISOs/website hacked

#15 2016-02-23 04:05:59

Re: Linux Mint ISOs/website hacked

#16 2016-02-23 08:10:09

Re: Linux Mint ISOs/website hacked

#17 2016-02-23 08:34:25

Re: Linux Mint ISOs/website hacked

#18 2016-02-23 08:42:41

Re: Linux Mint ISOs/website hacked

#19 2016-02-23 09:19:28

Re: Linux Mint ISOs/website hacked

#20 2016-02-23 14:28:08

Re: Linux Mint ISOs/website hacked

Board footer